Peer-to-peer lending marketplace Prosper detected unauthorized activity on their systems on September 2, 2025.
It published an FAQ page later that month to address the incident. During the incident, the attacker stole personal information belonging to Prosper customers and loan applicants.
As Prosper stated:
“We have evidence that confidential, proprietary, and personal information, including Social Security numbers, was obtained, including through unauthorized queries made on Company databases that store customer and applicant data.”
While Prosper did not share the number of affected people, BleepingComputer reported that it affected 17.6 million unique email addresses.
The stolen data associated with the email addresses reportedly includes customers’ names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user-agent details.
Prosper advised that no one gained unauthorized access to customer accounts or funds and that their customer-facing operations continued without interruption.
Even without account access, the stolen data is more than enough to fuel targeted, personalized phishing and even identity theft. The investigation is still ongoing but Prosper has promised to offer free credit monitoring, as appropriate, after determining what data was affected.
Protecting yourself after a data breach
If you think you have been the victim of a data breach, here are steps you can take to protect yourself:
- Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
- Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
